aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorBenoit Fouet <benoit.fouet@free.fr>2009-01-26 09:41:23 +0000
committerBenoit Fouet <benoit.fouet@free.fr>2009-01-26 09:41:23 +0000
commita44cb89b0f53d55dd1814138ba6526ecaf985f12 (patch)
tree7ce97583fd3f1704ecd653ec80f6f65f3fe1c1e2
parentf2f35d33648959b61d917b8b9439d4653dc770e9 (diff)
downloadffmpeg-a44cb89b0f53d55dd1814138ba6526ecaf985f12.tar.gz
Fix an exploit in indeo by checking we are not writing out of the strip array.
Fixes issue 655 Originally committed as revision 16802 to svn://svn.ffmpeg.org/ffmpeg/trunk
-rw-r--r--libavcodec/indeo3.c8
1 files changed, 8 insertions, 0 deletions
diff --git a/libavcodec/indeo3.c b/libavcodec/indeo3.c
index eea27f927c..d041be75ee 100644
--- a/libavcodec/indeo3.c
+++ b/libavcodec/indeo3.c
@@ -252,6 +252,10 @@ static void iv_Decode_Chunk(Indeo3DecodeContext *s,
if(cmd == 0) {
strip++;
+ if(strip >= strip_tbl + FF_ARRAY_ELEMS(strip_tbl)) {
+ av_log(s->avctx, AV_LOG_WARNING, "out of range strip\n");
+ break;
+ }
memcpy(strip, strip-1, sizeof(*strip));
strip->split_flag = 1;
strip->split_direction = 0;
@@ -259,6 +263,10 @@ static void iv_Decode_Chunk(Indeo3DecodeContext *s,
continue;
} else if(cmd == 1) {
strip++;
+ if(strip >= strip_tbl + FF_ARRAY_ELEMS(strip_tbl)) {
+ av_log(s->avctx, AV_LOG_WARNING, "out of range strip\n");
+ break;
+ }
memcpy(strip, strip-1, sizeof(*strip));
strip->split_flag = 1;
strip->split_direction = 1;